Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks, spends
his days doing penetration testing to help organizations
understand their security defenses and how they can be
attacked.

Lloyd
said that while it's interesting to find out who is behind the
newest and most sophisticated cyberattacks, the important thing
to recognize is that cyberweapons are growing in number and
the U.S. is already vulnerable.

Successful attacks — including ones that steal directories of
credit numbers, patient records and social security numbers
— are occurring every day.

"It's not about whether these fancy weapons, that look
like we built, could be used on us," Lloyd said. "We need to
take a step back and think, 'What kind of weapon
would it take to hurt us?' And the answer is that simple weapons
work today."

To understand why it's so
easy to hack America right now, one must recognize the
immensity of the U.S. cyber infrastructure and the consequent due
diligence required to secure it.

"The difference with America is that we are so interconnected,
we're so networked," Lloyd said. "All of our systems are
connected together — our finance systems, our power generation
systems, our social media sites, and so on. We're
interconnected here much more than anywhere else in the world and
that means if this stuff is fragile, it is much more fragile than
everywhere else."

Lloyd, whose job is to study the fragility of U.S. networks,
posits that it is indeed fragile.

Last year in the U.S. there were 855 incidents
of corporate data breaches that involved 174 million compromised
records, according to Verizon's 2012
Data Breach Investigations Report (DRIC).

While 2011 saw the second-highest data loss total since
Verizon started keeping track in
2004, 96 percent of attacks were not highly
difficult and 97 percent of breaches were
avoidable through simple or intermediate controls.

"Now that's really interesting," Lloyd said. "It's
about the thinness of the glass... We're at the
level where it is far too easy to break in."

"The vast majority [of cyberattacks] don't take the complexity of
a Stuxnet — it just takes rattling all the doorknobs," Lloyd
said. "What they're doing is rattling all of the doors, and they
find one or two that are open."

So why aren't companies using simple and intermediate
controls to make sure their networks are secure?

Lloyd said that things that companies must do are simple, but
they must be constantly done everywhere (i.e. make sure all side
doors are locked). The issue becomes that "if you're an American
corporation, utilities industry, government agency, you
have to be amazingly consistent and that's what we're bad
at… because our infrastructures are so big and so
complex… we can't secure effectively these days."

Furthermore, it's not even good enough for a single U.S.
company to be properly secure because the huge mesh of
interconnectivity means that if one company has a problem then
the companies with which it interacts also have a problem.

And although it's not easy to get companies to collaborate with
their competitors when they've had a breach, Lloyd remains
optimistic because
disclosures have been going up, companies are recognizing
weaknesses and tools are available to implement a stronger
collective defense.

What is required, according to Lloyd, are "established
standards of due diligence" — as defined by the
cybersecurity industry — that will "demand good practices out of
the people that look after our data."

Because the vast majority of attacks can be avoided if
the easy attacks are deterred through established
practices (as opposed to being invited by shoddy
practices).

Things like implementing disclosure laws,
requiring consistent measurement of cyber defenses, and using
automation to better understand the complexity of the U.S. grid
will hold companies accountable while also
generating greater discussion about the requirements
for acceptable cybersecurity.

The bottom line is that we're all part of the same
infrastructure, and right now we're not ready for attacks.

"Attacks are going on, our defenses are weak and
it's time to wake up and smell the coffee," Lloyd
said. "Given that we have this spyware [e.g. Flame,
Duqu], and the data-destroying [e.g. Skywiper
aspect of Flame] and the physical machine-destroying stuff [e.g.
Stuxnet] rattling around the globe, we have to take this
stuff more seriously."

Below are recommendations for smaller
organizations from Verizon's 2012
Data Breach Investigations Report. The DRIC states that "all
the evidence at our disposal suggests a huge chunk of the problem
for smaller businesses would be knocked out if they were
widely adopted."